Incident Watch

ServiceNow Vulnerability Exposes Sensitive Data to Unauthorized Users

Due to a vulnerability in ServiceNow's Access Control Lists, unauthorized users can gain full access to sensitive data.

What Happened: Researchers identified a vulnerability in ServiceNow that permits unauthorized users to access sensitive data from restricted tables.

Here’s How the Vulnerability Works: 

  • ServiceNow uses Access Control Lists (ACLs) to decide who can access data. 
  • For a user to access a resource, they must pass all four ACL checks: 
    • Required roles
    • Security attributes
    • Data conditions
    • Script Conditions
  • The Issue: The vulnerability is conceptually similar to a Boolean-based blind SQL injection. Suppose a table contains sensitive data and access needs to be tightened. Depending on the specific requirements, there are several ways to enforce restrictions. In the last three scenarios below, the system still returns the total number of matching records, even if some records or fields are not fully visible. By adjusting query parameters and observing changes in the result count, an attacker can infer both the existence and potentially even the values of sensitive data.
    • Add role or security attribute restrictions at the table-level ACL: This fully hides all records from low-privileged users.
    • Add role or security attribute restrictions at the field-level ACL:  In this case, users can still see the records, but specific fields (columns) will be hidden.
    • Use data conditions or advanced conditions in the table-level ACL:  This filters out records based on dynamic criteria. Users can see all fields, but only for records they’re allowed to access.
    • Use data conditions or advanced conditions in the field-level ACL:  This enables fine-grained control, where certain fields may be visible or hidden depending on the data in each row.

Why This Matters: 

  • Vulnerabilities like this expose sensitive and confidential data to unauthorized users with minimal access rights. Organizations rely on ServiceNow to securely manage critical business workflows and information such as personal data, credentials, and internal configurations. If attackers can exploit this flaw, they could silently gather valuable data
  • Insider risk is a major concern: Employees or contractors with limited privileges might exploit this vulnerability to access data beyond their clearance, maliciously or accidentally causing data leaks or misuse.

Taking a Step Back: 

  • Each SaaS platform is unique and complex: Each SaaS app, from ServiceNow to M365 to Workday all use a unique mix of permissions, roles, and rules, creating distinct security challenges. Because of this complexity, manual security reviews often fall short, making it difficult to catch every misconfiguration or vulnerability.
  • Understanding the Shared Responsibility Model: In situations like these, many organizations mistakenly assume that SaaS vendors handle all aspects of security. While vendors are responsible for securing the app’s underlying infrastructure, issues related to data access—such as this one—fall under the organization’s responsibilities.

How to Lock Down your ServiceNow Environment: 

General Strategies:

  • Enforce least privilege access
  • Conduct regular permission reviews
  • Monitor and log access
  • Track admins and limit self-registration

For Obsidian Customers:

  • Add the ServiceNow connection, if not already done 
    • This process will take less than five minutes, and once connected, Obsidian will create a historic baseline of all ServiceNow activity
  • In the posture module, sort by services to drill down on specific ServiceNow violations 
    • Sort these rules and settings by criticality and leverage provided steps to remediate
    • Leverage Obsidian to specifically look for settings where self-service registration is enabled

Download Now

Get Started

Start in minutes and secure your critical SaaS applications with continuous monitoring and data-driven insights.

get a demo